Overview

overview

8

Static

static

3

2024-10-12...ye.exe

windows7-x64

8

2024-10-12...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-12_aed15c0f5fc4594aa2ce31f4972588f1_goldeneye.exe

  • Size

    344KB

  • MD5

    aed15c0f5fc4594aa2ce31f4972588f1

  • SHA1

    c5059499eaee881b2c5b2230669e729d9a918c3b

  • SHA256

    ffc7cd854d3f5997e58d485f5f2e77b9e522f51226143f53fecaea43b893f6e1

  • SHA512

    7385f44dcb3c472314fecb8023a114e6299a641e92ddf059d831a68b99990eed97445c86e655dfdc3eb7ca354059b40c2180c614a7b01577465c477126968432

  • SSDEEP

    3072:mEGh0oZyqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEF:mEG3yqlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_aed15c0f5fc4594aa2ce31f4972588f1_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_aed15c0f5fc4594aa2ce31f4972588f1_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\{EB7B593B-8928-40c6-9B53-5539B1C28A1B}.exe
      C:\Windows\{EB7B593B-8928-40c6-9B53-5539B1C28A1B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\{D620CF8D-2144-4bc3-AE28-8371B2FE13C2}.exe
        C:\Windows\{D620CF8D-2144-4bc3-AE28-8371B2FE13C2}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\{94FC55A8-294D-40c2-A5C1-AD1D36B30ABD}.exe
          C:\Windows\{94FC55A8-294D-40c2-A5C1-AD1D36B30ABD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5084
          • C:\Windows\{C0291EF7-D268-4c34-AC4E-203C0D3C31EF}.exe
            C:\Windows\{C0291EF7-D268-4c34-AC4E-203C0D3C31EF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3576
            • C:\Windows\{5CB24C4D-AA13-4630-9486-A9C5D9D97813}.exe
              C:\Windows\{5CB24C4D-AA13-4630-9486-A9C5D9D97813}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5040
              • C:\Windows\{9BE55068-AB1E-4dae-9B6B-DAAF95FDE7E1}.exe
                C:\Windows\{9BE55068-AB1E-4dae-9B6B-DAAF95FDE7E1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4112
                • C:\Windows\{57E24E73-6AF5-4aa2-A58C-D1ED4B118079}.exe
                  C:\Windows\{57E24E73-6AF5-4aa2-A58C-D1ED4B118079}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:828
                  • C:\Windows\{CFE17162-84E6-4d59-AAA8-BC2E922B9BDD}.exe
                    C:\Windows\{CFE17162-84E6-4d59-AAA8-BC2E922B9BDD}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5112
                    • C:\Windows\{8B0666D7-8DA1-477b-882B-C56541910117}.exe
                      C:\Windows\{8B0666D7-8DA1-477b-882B-C56541910117}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1912
                      • C:\Windows\{5BE5D593-3CC9-4b1e-96B0-C622C00B5891}.exe
                        C:\Windows\{5BE5D593-3CC9-4b1e-96B0-C622C00B5891}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1356
                        • C:\Windows\{58AEE73B-07DD-467d-BAA1-AB1C23C27DC9}.exe
                          C:\Windows\{58AEE73B-07DD-467d-BAA1-AB1C23C27DC9}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2128
                          • C:\Windows\{34ABA4B6-381C-4a51-BA81-5B3833967644}.exe
                            C:\Windows\{34ABA4B6-381C-4a51-BA81-5B3833967644}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3640
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{58AEE~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5BE5D~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3452
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B066~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2432
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CFE17~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4432
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{57E24~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:224
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{9BE55~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1604
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5CB24~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3136
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{C0291~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1352
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{94FC5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D620C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1160
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB7B5~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5080
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{34ABA4B6-381C-4a51-BA81-5B3833967644}.exe
    Filesize

    344KB

    MD5

    2e9266c1dc31a4c78bfa598269075a1d

    SHA1

    4f843f29874e992b7f5ef76604ddd1efefb556ae

    SHA256

    52449c2058f0ceebdc842b59af612424695dec4e60b424dfd40644c42c356f5b

    SHA512

    4acc60219fa8f67c4117a2e77c9f2091a182051be4cb5da34edabb5d9c3020ccb6b424868bd31175d3281f22390e2d5211e3b6900b9870cfb2e59a476de91fd5

    Download Submit

  • C:\Windows\{57E24E73-6AF5-4aa2-A58C-D1ED4B118079}.exe
    Filesize

    344KB

    MD5

    de3288d61576a62c23c42a5e7b5e54c9

    SHA1

    86c978840f0f2f7f7fba81a07bc09c6cb30fc234

    SHA256

    503cd356a11c53d4c43ebe37578cdcb83cba09d72951a2e80f64efeca36a402e

    SHA512

    392bb43ba2d6bce37dba3fa0eabd5309e53ec8ca2abc06626a3021c57405d780475fc8a5b9d31090efba8cbec7d06e60be04dbbe2856d312bdd7e0ecded01b1e

    Download Submit

  • C:\Windows\{58AEE73B-07DD-467d-BAA1-AB1C23C27DC9}.exe
    Filesize

    344KB

    MD5

    bdbc347c4180dcf1962e7bfbd388e4fb

    SHA1

    6d7b8661ae06ec288f4305b4ef1e7defa633db86

    SHA256

    37c3f59d61965e5728b3e9529e5cee6cb45fcec785bc300d33b8d5c9f09c45f5

    SHA512

    bdb5dd5ee5a3450afac9a38df6fb5cd33d1cf8684ae0de7a1efe5528b0dc98cd7c2e3fbabdbe83bfbd69ba7a9863cf4154a4489d0a7daaef001dffd3cd45a5ba

    Download Submit

  • C:\Windows\{5BE5D593-3CC9-4b1e-96B0-C622C00B5891}.exe
    Filesize

    344KB

    MD5

    a77a77b01a179f5539ad66b95a7a0d57

    SHA1

    47c5a5d49558a3224a7b9c13eda0ec11d7bdb692

    SHA256

    0b619cfed32bd0847282a8a25024165a50aa410293c0f6a4972a0ad0d6f477da

    SHA512

    2b1b6dcb35098b4213efe93fba17e4c9789a197c5d9948bdf444edc550dbad83dd48c3a81cc9656fd4544c4bfa1093a88a72d2b03357c9aecce93d8abf0a4c8e

    Download Submit

  • C:\Windows\{5CB24C4D-AA13-4630-9486-A9C5D9D97813}.exe
    Filesize

    344KB

    MD5

    bd979dfeeafa8480e228e595e7e8722f

    SHA1

    091eb10b6fa3f005d3f66946315b9bc259a52f9a

    SHA256

    abceb9182fefd76fd7306f9136583c7cb655df7de3feacf3dd0d48246ea3441b

    SHA512

    a653d0bbfd0fe8630d30a0609fd908164be2758a883a38632d71f1de1068363cce0f0b6cfadfda69026ec6fc19f2952c925ba84d7adeb6ae8ac95a21c2886bc2

    Download Submit

  • C:\Windows\{8B0666D7-8DA1-477b-882B-C56541910117}.exe
    Filesize

    344KB

    MD5

    f336a34711bc6ceeca30c892e1ed745e

    SHA1

    4e1d0d90985e61afae1b45b09c097f4dc4edd2f3

    SHA256

    f9818b6bef692c1b9ea704ec0efbd4fc47620f8771fb0a6cc3c1f498852d04a2

    SHA512

    16eb916f56c3577079da362f7df1af602521095772acc70af4de6f1744867aaeffb3d97cb42820f6f3c2286cf63f97c3738779e1a2dc96af4a8ef2c8d01b7d04

    Download Submit

  • C:\Windows\{94FC55A8-294D-40c2-A5C1-AD1D36B30ABD}.exe
    Filesize

    344KB

    MD5

    fd5672ed18ede7b5bf782f775d57c516

    SHA1

    56068fceb13bd445982458d3e1c50e1cddb132ed

    SHA256

    67f79c4a79301cd2ca87553617a4b7814f8bd533be4b445e5bba8091b80dcb48

    SHA512

    717e13e01b6adcd1547bf0fb6f660890ced5131f0f225d08a26f460352b11c7411b94e6e2e7cbadbe1cbd97f8f8a446441027a1f889cf79f08693dbe2dbbd526

    Download Submit

  • C:\Windows\{9BE55068-AB1E-4dae-9B6B-DAAF95FDE7E1}.exe
    Filesize

    344KB

    MD5

    b7f5e0f0e8680f8be37b901fcb6c3891

    SHA1

    ec7fa9c39dfcc7c38037adc9e6b25886f735be4c

    SHA256

    7466415b9391eea5a756f6a22b16ccce001411f6887db7a524bce5d66ee0761c

    SHA512

    0c8ef60d2da298257731f91be2a8c929f12b571e2a918565b8e06574bcebb0c51bc50b66291a98c415ccac70fd77333dee70e0eef54381300ac2b407a3dd0b40

    Download Submit

  • C:\Windows\{C0291EF7-D268-4c34-AC4E-203C0D3C31EF}.exe
    Filesize

    344KB

    MD5

    b9f68913677705f57277be73df39ecab

    SHA1

    ab3490abfb3175dd721af323378aa19b158f8175

    SHA256

    d6320f029e541d1c6aa03b204cb521c793f9a245251ba89fb4a73d2d29475f5f

    SHA512

    17a5566746905c0ad0e482aaac8b0ab67650c8e886b324c739bf864d6bad8a46248bee35a6f2fab3906839d639671fc3d5589013af14a2343880e5d064d5a260

    Download Submit

  • C:\Windows\{CFE17162-84E6-4d59-AAA8-BC2E922B9BDD}.exe
    Filesize

    344KB

    MD5

    d2a9f365578cf2b7e38c60f4f5ac9485

    SHA1

    958cb81f0fbf05b0e92dbdb86ec4933e8f8362a6

    SHA256

    c8f97f44bf5fe092b1d2da768f8f14734704f7018ba6cf36e832321aec625ac8

    SHA512

    e61a2d7a9f1a11d045adcf3ca12e381a49a6d981b5a7564a7646f3bf6ad5566f52aedaa095e1d87ca7d023cb3bd130e48dbe0c06fafe73aafee39fd784a6c7a3

    Download Submit

  • C:\Windows\{D620CF8D-2144-4bc3-AE28-8371B2FE13C2}.exe
    Filesize

    344KB

    MD5

    099b96ae4dace0992bb198270e3ecff9

    SHA1

    a6c99e522a459ba9e611dda0103b5bf49975a039

    SHA256

    cf008f2cdaf8f84af18dd67f80fc75f8ebc4b7ffe881582f3f54b2b8cfcec0b7

    SHA512

    1d6dc17b0327b596ff7579ad231d4eaff873b23ebd8f6c3e5c070b1beebf586743fdbdec06d3d6dc5a07a4e9393bf239c9ce1022fc56dd42fe19485e7d046ca5

    Download Submit

  • C:\Windows\{EB7B593B-8928-40c6-9B53-5539B1C28A1B}.exe
    Filesize

    344KB

    MD5

    0694b8c2338c61cbdde07d3d165e78de

    SHA1

    c84c02e3e7ddaeac51a216551fad932b1724c835

    SHA256

    64f4a7c89c5efd9e4a6187b7e9bbd6f0ab2427b430c9d338cc32b0ddfcab5b52

    SHA512

    3ad8e6e57e10e9881c93afc1a457b03852a3fbf1a5f262fb3f6d339d561c67bf0092bd5193609e0785b271e2add758c28d4688d15816ef2b139fefad2b5f78a3

    Download Submit